2 Answers
2

NIST SP 800-57 is a long and very general standard, applying primarily to details such as key purpose, length, lifetime, and other details that are typically independent of the application in use. Perhaps you should review that standards documentation, identify the requirements relevant to the your application, and narrow your question to reflect the specific requirements that your application needs to implement.

Note that finding an application written specifically to implement key and password management best practices doesn't make a whole heap of sense, since key and password management needs to be integrated into the application that actually uses the passwords and keys, rather than a stand-alone solution. So it's unclear what an application specifically for enforcing key lifetime, length, etc., would actually do, and how it would fit into your general workflow.

Also key management practices are as much about configuration, usage, and deployment of your application as they are about the code itself, and probably significantly more so.

Thanks for the answer. Are you saying that NIST is more of a policy and organizational based, rather than technology based specification? The specification does reference AES, and phpAES is FIPS 197 compliant. It also says that "The approved algorithms for encryption/decryption are symmetric key algorithms: AES and TDEA". So, AES sounds like an acceptable cipher for this specification.
–
NimbuzDec 17 '12 at 16:52

1

@Nimbuz, no, I don't think that's right. I think what tylerl is saying is that you need to first identify what are the requirements for your particular application, before it makes sense to start looking for libraries and solutions and implementations of crypto-algorithms. Also, I think he's saying that this has to be integrated into your application: you can't get good key management by simply adding on a library. Yes, AES is an acceptable cipher if used properly (e.g., in an AEAD mode of operation), but key management is a separate issue from algorithm selection.
–
D.W.Dec 18 '12 at 4:51

While PCI DSS does not specifically require NIST SP-800-57 compliance for key management, it does make reference to NIST and other international standards in this area (see the PCI DSS Glossary and Navigation Guide). Deploying a key management solution that is NIST certified goes a long ways towards complying with PCI DSS. Minimally you should look for a FIPS-140-2 Validation of the key manager. Vendor solutions that are validated can be found here:

You need to exercise some caution about vendor claims for FIPS-140-2 compliance. It is not enough that a key management component is FIPS-140-2 certified. If the vendor's solution is not on the NIST web site, it isn't NIST validated.

PCI DSS makes reference to other key management best practices such as dual control, separation of duties, and split knowledge. These are described reasonably well in the PCI DSS navigation guide. Well worth taking a quick read. These concepts also come from NIST publications and security best practices.

We emailed townsendsecurity but havent heard back from them yet. Can you give an idea how much does a key manager cost/m or annually?
–
NimbuzDec 18 '12 at 5:17

Patrick- welcome to the site, and thanks for the answer. Please don't use this as an advertising slot, however- you can place contact info in your profile, just not in a question or answer please.
–
Rory Alsop♦Dec 18 '12 at 7:37